Fortinet white logo
Fortinet white logo

Administration Guide

HA virtual cluster setup

HA virtual cluster setup

Virtual clustering is an extension of FGCP HA that provides failover protection between two instances of one or more VDOMs operating on two FortiGates that are in a virtual cluster. A standard virtual cluster consists of FortiGates that are operating in active-passive HA mode with multiple VDOMs enabled.

Active-passive virtual clustering uses VDOM partitioning to send traffic for some VDOMs to the primary FortiGate and traffic for other VDOMs to the secondary FortiGates. Traffic distribution between FortiGates can potentially improve throughput. If a failure occurs and only one FortiGate continues to operate, all traffic fails over to that FortiGate, similar to normal HA. If the failed FortiGates rejoin the cluster, the configured traffic distribution is restored.

In an active-passive virtual cluster of two FortiGates, the primary and secondary FortiGates share traffic processing according to the VDOM partitioning configuration. If you add a third or fourth FortiGate, the primary and first secondary FortiGate process all traffic and the other one or two FortiGates operate in standby mode. If the primary or first secondary FortiGate fails, one of the other FortiGates becomes the new primary or secondary FortiGate and begins processing traffic.

Separation of VDOM traffic

Virtual clustering creates a cluster between instances of each VDOM on the two FortiGates in the virtual cluster. All traffic to and from a given VDOM is sent to one of the FortiGates where it stays within its VDOM and is only processed by that VDOM. One FortiGate is the primary FortiGate for each VDOM and one FortiGate is the secondary FortiGate for each VDOM. The primary FortiGate processes all traffic for its VDOMs; the secondary FortiGate processes all traffic for its VDOMs.

Virtual clustering and heartbeat interfaces

The HA heartbeat provides the same HA services in a virtual clustering configuration as in a standard HA configuration. One set of HA heartbeat interfaces provides HA heartbeat services for all of the VDOMs in the cluster. You do not have to add a heartbeat interface for each VDOM.

Special considerations for NPU-based VLANs in a Virtual Cluster

In an FGCP cluster, the primary FortiGate uses virtual MAC addresses when forwarding traffic, and the secondary uses the physical MAC addresses when forwarding traffic. In a virtual cluster, packets are sent with the cluster’s virtual MAC addresses. However, in the case of NPU offloading on a non-root VDOM, traffic that leaves an NPU-based VLAN will use the physical MAC address of its parent interface rather than the virtual MAC address. If this behavior is not desired, disable auto-asic-offload in the firewall policy where the VLAN interface is used.

Example

This example shows a virtual cluster configuration consisting of two FortiGates. The virtual cluster has two VDOMs, Root and End_vdm.

Note

The root VDOM can only be associated with virtual cluster 1.

The VDOM that is assigned as the management VDOM can also only be associated with virtual cluster 1.

To set up an HA virtual cluster using the GUI:
  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Go to System > HA and set the following options:

    Mode

    Active-Passive

    Device priority

    128 or higher

    Group name

    Example_cluster

    Heartbeat interfaces

    ha1 and ha2

    Except for the device priority, these settings must be the same on all FortiGates in the cluster.

  4. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  5. Click OK.

    The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate's interfaces.

  6. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting setting the device priority, to join the cluster.
  7. Go to System > Settings and enable Virtual Domains.
  8. Click Apply. You will be logged out of the FortiGate.
  9. Log back into the FortiGate, ensure that you are in the global VDOM, and go to System > VDOM.
  10. Create two new VDOMs, such as VD1 and VD2:
    1. Click Create New. The New Virtual Domain page opens.
    2. Enter a name for the VDOM in the Virtual Domain field, then click OK to create the VDOM.
    3. Repeat these steps to create a second new VDOM.
  11. Implement a virtual cluster by moving the new VDOMs to Virtual cluster 2:
    1. Go to System > HA.
    2. Enable VDOM Partitioning.
    3. Click on the Virtual cluster 2 field and select the new VDOMs.

    4. Click OK.
To set up an HA virtual cluster using the CLI:
  1. Make all the necessary connections as shown in the topology diagram.
  2. Set up a regular A-P cluster. See HA active-passive cluster setup.
  3. Enable VDOMs:
    config system global
        set vdom-mode multi-vdom
    end

    You will be logged out of the FortiGate.

  4. Create two VDOMs:
    config vdom
        edit VD1
        next
        edit VD2
        next
    end
  5. Reconfigure the HA settings to be a virtual cluster:
    config global
        config system ha    
            set vcluster2 enable
            config secondary-vcluster
                set vdom "VD1" "VD2"
            end
        end
    end

HA virtual cluster setup

HA virtual cluster setup

Virtual clustering is an extension of FGCP HA that provides failover protection between two instances of one or more VDOMs operating on two FortiGates that are in a virtual cluster. A standard virtual cluster consists of FortiGates that are operating in active-passive HA mode with multiple VDOMs enabled.

Active-passive virtual clustering uses VDOM partitioning to send traffic for some VDOMs to the primary FortiGate and traffic for other VDOMs to the secondary FortiGates. Traffic distribution between FortiGates can potentially improve throughput. If a failure occurs and only one FortiGate continues to operate, all traffic fails over to that FortiGate, similar to normal HA. If the failed FortiGates rejoin the cluster, the configured traffic distribution is restored.

In an active-passive virtual cluster of two FortiGates, the primary and secondary FortiGates share traffic processing according to the VDOM partitioning configuration. If you add a third or fourth FortiGate, the primary and first secondary FortiGate process all traffic and the other one or two FortiGates operate in standby mode. If the primary or first secondary FortiGate fails, one of the other FortiGates becomes the new primary or secondary FortiGate and begins processing traffic.

Separation of VDOM traffic

Virtual clustering creates a cluster between instances of each VDOM on the two FortiGates in the virtual cluster. All traffic to and from a given VDOM is sent to one of the FortiGates where it stays within its VDOM and is only processed by that VDOM. One FortiGate is the primary FortiGate for each VDOM and one FortiGate is the secondary FortiGate for each VDOM. The primary FortiGate processes all traffic for its VDOMs; the secondary FortiGate processes all traffic for its VDOMs.

Virtual clustering and heartbeat interfaces

The HA heartbeat provides the same HA services in a virtual clustering configuration as in a standard HA configuration. One set of HA heartbeat interfaces provides HA heartbeat services for all of the VDOMs in the cluster. You do not have to add a heartbeat interface for each VDOM.

Special considerations for NPU-based VLANs in a Virtual Cluster

In an FGCP cluster, the primary FortiGate uses virtual MAC addresses when forwarding traffic, and the secondary uses the physical MAC addresses when forwarding traffic. In a virtual cluster, packets are sent with the cluster’s virtual MAC addresses. However, in the case of NPU offloading on a non-root VDOM, traffic that leaves an NPU-based VLAN will use the physical MAC address of its parent interface rather than the virtual MAC address. If this behavior is not desired, disable auto-asic-offload in the firewall policy where the VLAN interface is used.

Example

This example shows a virtual cluster configuration consisting of two FortiGates. The virtual cluster has two VDOMs, Root and End_vdm.

Note

The root VDOM can only be associated with virtual cluster 1.

The VDOM that is assigned as the management VDOM can also only be associated with virtual cluster 1.

To set up an HA virtual cluster using the GUI:
  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Go to System > HA and set the following options:

    Mode

    Active-Passive

    Device priority

    128 or higher

    Group name

    Example_cluster

    Heartbeat interfaces

    ha1 and ha2

    Except for the device priority, these settings must be the same on all FortiGates in the cluster.

  4. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  5. Click OK.

    The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate's interfaces.

  6. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting setting the device priority, to join the cluster.
  7. Go to System > Settings and enable Virtual Domains.
  8. Click Apply. You will be logged out of the FortiGate.
  9. Log back into the FortiGate, ensure that you are in the global VDOM, and go to System > VDOM.
  10. Create two new VDOMs, such as VD1 and VD2:
    1. Click Create New. The New Virtual Domain page opens.
    2. Enter a name for the VDOM in the Virtual Domain field, then click OK to create the VDOM.
    3. Repeat these steps to create a second new VDOM.
  11. Implement a virtual cluster by moving the new VDOMs to Virtual cluster 2:
    1. Go to System > HA.
    2. Enable VDOM Partitioning.
    3. Click on the Virtual cluster 2 field and select the new VDOMs.

    4. Click OK.
To set up an HA virtual cluster using the CLI:
  1. Make all the necessary connections as shown in the topology diagram.
  2. Set up a regular A-P cluster. See HA active-passive cluster setup.
  3. Enable VDOMs:
    config system global
        set vdom-mode multi-vdom
    end

    You will be logged out of the FortiGate.

  4. Create two VDOMs:
    config vdom
        edit VD1
        next
        edit VD2
        next
    end
  5. Reconfigure the HA settings to be a virtual cluster:
    config global
        config system ha    
            set vcluster2 enable
            config secondary-vcluster
                set vdom "VD1" "VD2"
            end
        end
    end